jab2870/Website
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
Website/content/blog/019-my-new-home-network.md
Jonathan Hodgson 7cf34b3650 Updates everything
2025-07-11 19:05:04 +01:00

162 lines
8.1 KiB
Markdown
Raw Blame History

---
title: My New Home - Network
date: 2023-02-08
tags:
- Privacy
- My New Home
description: >
I recently bought a new House. In this post, I discuss my network setup as
part of a series of posts about the setup.
---
So, we have finally moved into our new home. The buying process took far too
long, I am sick to death of dealing with solicitors, but we are now in. I hope
this will become a series of blog posts in which I detail the setup process.
This particular post will be the network.
My initial intention had been to buy some land and build a house. However, the
process of doing so in the UK was ... annoying, so instead we went for a new
build. We found the property early enough in the build process that we were able
to make various requests. One of which was for the electrician to run Cat-6
ethernet cable throughout the house before the walls were plastered. The cables
all run into our under-stairs cupboard which I managed to convince my wife to
give me as a server room.
The majority of our rooms have 2 ethernet sockets in opposite corners. Our
lounge has 4, one in each corner. Our hall and landing both have celling mounted
ports for access points. I think this is probably more than we need, but at the
time we didn't know how we'd lay the rooms out, so we put in more than we
thought we'd need. I think this was a good choice. Running ethernet is much
easier when you don't have plaster to contend with. And they are just sockets on
the walls -- they are no uglier than mains, telephone or coax sockets.
## Network Gear
In terms of the network gear, I decided to take the plunge and try TP-Links
Omada line. I think it is fair to say that in the pro-sumer arena, Ubiquity are
the most popular. However, they are also expensive. I watched a lot of YouTube
and decided that TP Link's product catered for my needs.
I bought:
* [A Router / firewall](https://amzn.to/3HwPACO) ([Non-Associates Link](https://www.amazon.co.uk/gp/product/B08SWR1K56/))
* [A Switch](https://amzn.to/3I1rB07) ([Non-Associates Link](https://www.amazon.co.uk/gp/product/B08W4PM24H/))
* [An Access Point](https://amzn.to/3RCFkxw) ([Non-Associates Link](https://www.amazon.co.uk/gp/product/B09ZF7HPFB/))
I won't go into too much detail on the individual devices I got as copying me is
a pretty bad idea. You want to make the decision based on the size of your
network, the speeds you need and the sorts of devices you want to attach.
## Network Configuration
I run the TP Link Omada Controller in a Docker container on my home server. I
have had no issues with it at all so far.
In terms of the software itself, I would say that it's not quite on a par with
Ubiquity's product, however, it is more than sufficient for my needs and I would
think more than sufficient for most home users and small / medium businesses.
The only area I found it to be a little lacking was the firewall configuration.
However, before I explain that, it would be helpful for me to explain the VLANs
I have on my network. In case you don't know, a VLAN is a virtual network. It is
useful for categorising and segregating devices. I have seen many examples
across the internet of people who setup tens of VLANs for their home network.
However, I think any security gains you may get from that are outweighed by the
added complexity maintaining it. I have opted for two VLANs.
My first VLAN is for trusted devices. Trusted devices are my computers, my
wife's computers, our phones and my server. These are able to communicate
with each other and the internet.
My second VLAN is for smart devices. These are devices that have no business
talking to each other or the internet. The only device they can communicate with
is my server running Home Assistant, an NTP server and a DNS server.
This can all be achieved easily with the Omada software. Where it is lacking is
in its inability to set up stateful firewall rules. I would like to configure
the firewall so that devices on my trusted network can communicate with devices
on the smart VLAN, and the smart devices should be able to reply. Meaning, from
my laptop, I cannot SSH into [my vacuum](/blog/i-got-a-robot-vacuum/) because
that requires 2 way communication. There is talk [on
Reddit](https://libreddit.kavin.rocks/r/HomeNetworking/comments/mrxsbg/tplink_omada_switch_acls_arent_stateful/)
that future firmware may support this, but at the moment it doesn't. I have got
around this by using my server as a jump box to SSH from as smart devices are
able to connect to this, although I'd prefer a stateful firewall solution.
I am also not able to force all DNS requests to my DNS server. On some router /
firewall solutions, you can force all outbound traffic on port 53 (DNS) to a
particular device. I have to rely on devices honouring the server specified via
DHCP. However, they seem to be doing this. They are unable to communicate with
any other servers so even if they are only honouring my choices because they
have no choice, I don't really care.
## NTP
One of the issues I overlooked when planning my network setup was that of the
Network Time Protocol (NTP). I have Chrony running on my server, but many
devices don't allow you to specify an NTP server. Instead, they just silently
fail, and leave you scratching your head whilst trying to correlate times in log
files. A particularly annoying case of this had a device default to a date in
January 2022. Whilst debugging an issue, it was January 2023 and I completely
missed the fact that it was a year out for far too long.
It should be possible to configure an NTP server via DHCP. However, the Omada
software doesn't [appear to support
it](https://community.tp-link.com/en/business/forum/topic/256680). Eventually, I
might allow my Pi Hole to manage IP assignment which would allow me to configure
the appropriate DHCP options, although that would still be reliant on devices
obeying it.
For now, I have pointed the domains I saw being used at my server, which appears
to have worked.
## Network Connection
Another issue I came across is that some mobile apps for self hosted programs
don't work without an internet connection. I [raised an
issue](https://github.com/advplyr/audiobookshelf-app/issues/566) for
Audiobookshelf. The owner responded quickly and after a few screenshots
acknowledged the bug. This is not supposed to be a knock on the app -- I have
been hugely impressed by the speed of responses I've had from the team who work
on it. It is instead supposed to highlight the fact that many tools are not
tested against the sort of non-standard setup I have here. As a result, I am
going to run into issues that I wasn't expecting.
In the case of Audiobookshelf, it looks like one of its libraries checks for
internet connectivity rather than network connectivity. After checking my
pihole's logs, it turns out that Android devices make regular (unencrypted)
requests to <http://connectivitycheck.gstatic.com>. This is used to identify
captive portals as well as verify internet connectivity. Fortunately for me,
being unencrypted, I can host a simple webserver and point that domain at it on
my network. So that's what I did. The relevant NGINX config is below:
```nginx
server {
listen 80;
listen [::]:80;
server_name connectivitycheck.gstatic.com;
location / {
return 204;
}
}
```
After this, the app started working as expected.
## WPS
WPS is a method of connecting to a network without having to enter a password.
It generally involves pushing a button on your access point and a button on your
phone / device then "magically" the device is on your network. This method of
connection has been shown to have several security weaknesses. Many modern
solutions, including Omada and Ubiquiti have stopped providing this as an
option.
I approve of this decision, it is something I would have disabled if it had been
present. However, my printer has no other way of connecting to the network. No
ethernet and no way to enter a password. I think I'll probably have to dig out
an old router that does support WPS and hope that after connecting, the printer
will have a web interface that allows me to change the network configuration. If
not, I may have to just plug a small SBC into it and run a cups server on that.
Reference in a new issue View git blame Copy permalink